Security Log Multiple Success/Failure Audit records

Archived from groups: microsoft.public.win2000.security (More info?)

Those are events recorded for object access and privilege use. Unless you
have a particular reason for auditing object access and privilege use you
probably want to disable such in the appropriate security policy. Auditing
of object access is needed however if you are auditing folder permissions.

In general unless your users are having problems running applications or
accessing files I would not worry about the failure for object access and
privilege use. The exceptions would be for troubleshooting access problems,
auditing for specific access to folders, and auditing for users trying to
use specific sensitive privileges. --- Steve



"Armyeric" <Armyeric@discussions.microsoft.com> wrote in message
news:392AB8E6-9039-4486-8C72-BD6885651C2C@microsoft.com...
>I get the following events from my all my users...they are paired with a
> success and a failure. I am not sure how to read them and make them stop.
> Any advice would be welcome.
>
> Thanks, Eric
>
> Success Audit
> Object Open:
> Object Server: Microsoft Exchange
> Object Type: Microsoft Exchange Database
> Object
> Name: /O=RGA/OU=ROCKFORD/cn=Configuration/cn=Servers/cn=MMEXG/cn=Microsoft
> Private MDB
> New Handle ID: 0
> Operation ID: {0,11128078}
> Process ID: 3164
> Primary User Name: MMEXG$
> Primary Domain: ROCKFORD
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: Recover1
> Client Domain: ROCKFORD
> Client Logon ID: (0x0,0xA9CCFA)
> Accesses -
> Privileges -
>
> Properties:
> Unknown specific access (bit 8)
> Create public folder
> Create named properties in the information store
>
> And the Failure Audit:
> Object Open:
> Object Server: Microsoft Exchange
> Object Type: Microsoft Exchange Database
> Object
> Name: /O=RGA/OU=ROCKFORD/cn=Configuration/cn=Servers/cn=MMEXG/cn=Microsoft
> Private MDB
> New Handle ID: 0
> Operation ID: {0,11128079}
> Process ID: 3164
> Primary User Name: MMEXG$
> Primary Domain: ROCKFORD
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: Recover1
> Client Domain: ROCKFORD
> Client Logon ID: (0x0,0xA9CCFA)
> Accesses Unknown specific access (bit 8)
>
> Privileges -
>
> Properties:
> DELETE
> Modify public folder quotas
> Unknown specific access (bit 1)
> Unknown specific access (bit 4)
> Administer information store
> ACCESS_SYS_SEC
> %{d74a8774-2289-11d3-aa62-00c04f8eedd8}
> ---
> Mail-enable public folder
> WRITE_DAC
> SYNCHRONIZE
> Unknown specific access (bit 9)
> Unknown specific access (bit 11)
> Unknown specific access (bit 12)
> Modify public folder deleted item retention
> DELETE
> READ_CONTROL
> Unknown specific access (bit 0)
> Unknown specific access (bit 1)
> Unknown specific access (bit 2)
> Unknown specific access (bit 3)
> Unknown specific access (bit 4)
> Modify public folder expiry
> DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> Unknown specific access (bit 0)
> Unknown specific access (bit 1)
> Unknown specific access (bit 2)
> Unknown specific access (bit 3)
> Unknown specific access (bit 4)
> Unknown specific access (bit 5)
> Modify public folder replica list
> View information store status
> DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> Unknown specific access (bit 0)
> Unknown specific access (bit 1)
> Unknown specific access (bit 2)
> Unknown specific access (bit 3)
> Unknown specific access (bit 4)
> Unknown specific access (bit 5)
> Create top level public folder
> Unknown specific access (bit 0)
> Unknown specific access (bit 8)
> Modify public folder ACL
> ACCESS_SYS_SEC
> MAX_ALLOWED
> Modify public folder admin ACL
>
>
>